A magnet for misuse

The Investment Industry Regulatory Organization of Canada (IIROC) is considering a proposal that would give the self-regulatory organization (SRO) much deeper, richer oversight of market trading activity. However, the investment industry is concerned that this could create an irresistible target for hackers.

IIROC proposes amendments to its rules that would require the inclusion of client identifiers for every order sent to a market and all reported debt trades. Currently, only certain types of trades – such as those made through direct electronic access – must identify the client.

Capturing this information for all orders, IIROC’s proposal states, would make market surveillance and investigations much more efficient. In addition, analyzing trading data will be much easier if regulators have client identity information at their fingertips rather than stitching it together from various sources and making repeated requests for information from investment dealers. Yet, the industry is worried that creating such a detailed trading record could be a magnet for misuse.

According to a report from Investment Technology Group Inc. (ITG), IIROC’s proposal would allow the SRO to “create a near-perfect record of all trading.”

ITG’s report acknowledges that the regulatory objective is understandable. However, the report also states: “The creation of a single, near-perfect record creates a stunningly attractive target for cyberterrorists, never mind the risk that employees of vendors, marketplaces and the regulator could misuse the data.”

That concern is echoed in the comments submitted on IIROC’s proposals. (The comment period closed in mid-November.)

Toronto-based Scotia Capital Inc.’s submission regarding IIROC’s proposal warns that the data “would represent a treasure trove of confidential information.” If compromised, that could enable the “reverse engineering of client trading patterns and strategies, divulging client positions and generally exposing clients’ proprietary and confidential information,” the submission says. “Recent experience with data breaches in various industries suggests that no matter how well prepared, the risk of a breach is a real one.”

Several submissions to IIROC point to recent revelations of a cyber-intrusion at the U.S. Securities and Exchange Commission (SEC) to highlight the risk that even government agencies, which presumably have access to the best available cyberdefences, are susceptible to hacks.

Various other recent high-profile cyber-incidents, such as the massive data breach at Equifax Inc., also have investment dealers wary of the possibility of a similar, devastating hack in Canada.

Concerns about data security also have been raised in the U.S., where the SEC is implementing a consolidated audit trail (CAT) in an effort to beef up market surveillance. The CAT plan is slated to be phased in over the next couple of years. That plan, the aim of which is much like that of IIROC’s proposal, aims to give the SEC a more comprehensive view of trading activity, including identifying clients.

Yet, the Securities and Financial Markets Association in the U.S. also has called on regulators to delay implementation of the CAT plan, citing concerns about data security. But the SEC has declined to delay implementing the plan.

The concerns of Canada’s investment industry aren’t limited to breaches by external hackers. There are fears the data could be misused by market players seeking insight into their rivals’ trading positions and strategies.

“With access to such high-profile and valuable information, the possibility of information leakage, either directly or indirectly, becomes a bigger problem,” Scotia Capital’s submission states.

In light of these concerns, several submissions to IIROC propose alternative approaches, such as requiring dealers to report attributed order data to the SRO upon request rather than providing the data automatically.

Other submissions suggest that IIROC consider imposing only the identification requirements on large, institutional traders and exclude retail clients. That would reduce some of the cost of complying with the proposals.

Indeed, cost is another major concern. Several submissions point out that the task of providing additional client data will require both significant systems changes and expenditure of additional human resources.

Further, that submission states that NBF would need to upgrade several internal systems and databases to meet the proposed requirements and that the chore of encrypting all of the data remains a significant unknown cost.